Network Architecture

All the machines use the NAT network network mode inside of VirtualBox. This allows the malware to be contained in a virtual network such that it does not affect our physical host.

We can learn more about the various networking options inside of VirtualBox from these resources:

• Virtual Networking

• VirtualBox networking - NAT, NAT network, bridged network, internal network, host only network

Topology

The architecture of the lab is as follows:

Components

Component	Purpose
Wazuh server - SIEM and XDR	Indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities.
Wazuh agent - Endpoint detection	Protects the system by providing threat prevention, detection, and response capabilities. Collects different types of system and application data that it forwards to the Wazuh server through an encrypted and authenticated channel.
Cortex/MISP - Threat Intelligence	Threat Intelligence platform which allows observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed using a Web interface.
Shuffle - SOAR platform	No-code automation platform (SOAR) that lets users automate processes.
TheHive - Case Management	Allows SOC analysts to Collaborate, Elaborate and Act on investigations.